Added in Iguana version 6.1 for Enterprise and Professional tiers only.
Introduction
You must initialize (unlock) the locker using the Log Locker Password each time the Iguana Server is started. This will enable Iguana to access the log encryption key. If the initialization process fails Iguana will not be able to encrypt or unencrypt the logs.
Locker Initialization Methods [top]
There are two approved ways to initialize the locker file for production servers:
- Enter the password manually using the Iguana GUI:
This is the most secure method when used correctly. Because the password is not stored on disk it minimizes the risk of hacking. Unfortunately this method has human weaknesses. There is a temptation to use a simple and memorable password that is less secure. If multiple people need to restart the Iguana Server then the password will need to be shared. If a strong password is used and shared then it becomes more likely that people will need to record it (on disk or paper etc) which is a definite security risk (how often have you seen a password on a sticky note attached to the monitor).
- Each time the Iguana Server is started you will need to enter the Log Locker Password
- The Initialize Log Encryption Locker screen opens so you can enter the password
- You cannot leave this screen until the correct password has been entered
- Use the Auto-Unlock feature to enter the password automatically:
This method is the best compromise in most cases — particularly if there are multiple people who need to be able to restart the Iguana Server. Iguana encrypts and stores your password in a proprietary auto-unlocker file that uses a .autounlocker extension, and is located in the same directory your log encryption locker (making it very difficult to hack). In theory a determined hacker could recover the password from the autounlocker file — but in practice this is highly unlikely. To mitigate this risk access to the unlocker file should be restricted to as few users as possible (preferably just the administrator). The main advantage is that the user is not required to memorize the password and is therefore not tempted to use a simple (easily hacked) password. The main weakness of this method is a human one, you are more likely to lose or forget the password as you are not using it regularly (not a problem if you have a system in place to store the password securely).
- When Auto-Unlock is enabled Iguana automatically applies the user password on startup
- This option can be enabled/disabled in the Log Encryption settings
- Iguana encrypts and stores your password in a proprietary auto-unlocker file
- Each time Iguana starts up it extracts and decrypts the password from the auto-unlocker file
Note: You can also supply the password by using the log_encryption_password argument for the Iguana executable. This may be used for some development environments, however in most cases using Auto-Unlock is preferred.
Because the password is supplied as plain text this method is not approved for use with production servers.
Initialization Examples [top]
And this is how to use the various initialization options:
- Enter the Log Locker Password manually on startup using the Iguana GUI:
- First you will need to login to Iguana
- The Initialize Log Encryption Locker screen will open
- Enter the password and press the Unlock button:
- Enable the Auto-Unlock feature to enter the password automatically:
- Open the Settings>Log Encryption
- Click the Enable button:
- Enter the Log Locker Password and click Enable: